EP3195123B1 - Dynamic application containers - Google Patents

Dynamic application containers Download PDF

Info

Publication number
EP3195123B1
EP3195123B1 EP15775846.7A EP15775846A EP3195123B1 EP 3195123 B1 EP3195123 B1 EP 3195123B1 EP 15775846 A EP15775846 A EP 15775846A EP 3195123 B1 EP3195123 B1 EP 3195123B1
Authority
EP
European Patent Office
Prior art keywords
applications
application
container
computer
certain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP15775846.7A
Other languages
German (de)
French (fr)
Other versions
EP3195123A1 (en
Inventor
Jeremy Christopher DORFMAN
Jeremy Edward DUNKER
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Publication of EP3195123A1 publication Critical patent/EP3195123A1/en
Application granted granted Critical
Publication of EP3195123B1 publication Critical patent/EP3195123B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register

Definitions

  • Handheld mobile computing devices have become ubiquitous. For example, many people have so-called smart phones or tablet computers. Such devices allow users to use cellular data systems or other network systems to access a broad spectrum of services. For example, using such devices, a user can access email, the Internet, on-line databases, etc. People who have personal smart phones (or other smart devices) may often want to use these personal devices to access company resources belonging to the companies by which they are employed.
  • Identifying and dealing with different classifications of data (e.g. personal versus corporate) on mobile devices can be difficult, particularly when the device is used in different user settings (e.g. business vs. personal use).
  • Patent application document US2011161988 discloses an operating system having a kernel level and a user level, with the kernel level configured with a first container and a second container.
  • the first container is assigned to a first namespace and the secomd container is assigned to a second namespace. Both the first and second namespaces are isolated from each other and at the same time in communication with at least one shared object. Communication across the containers is created through a socket in the namespace of the shared object of one or both containers
  • One embodiment illustrated herein includes a method that may be practiced in a computing environment.
  • the method includes acts for managing application interaction on a device using dynamic containers.
  • the method includes, for a set of applications on a device, based on certain conditions, determining a plurality of container groups.
  • Each container group defines a set of applications and a set of interactions parameters defining boundaries of interactions between the applications for the applications in the container group.
  • the method further includes identifying one or more changes in the certain conditions. As a result of identifying one or more changes in the certain conditions, the method includes changing membership in the container groups.
  • Another embodiment includes a device configured to manage application interaction.
  • the device includes a plurality of applications.
  • the device further includes a plurality of application containers.
  • a given application container groups applications together and enforces boundaries of interaction between the applications in the given container.
  • the device is configured to change a set of applications in a container based on changes in conditions.
  • a containerization solution can be used to isolate different classifications of data from one another.
  • Containerization is the process of segregating data on a device such that data that meets a certain set of qualifiers ends up in a particular set of containers.
  • the goal of containerization is to apply a certain set of traits to a particular container, e.g. encryption or access restriction.
  • a container can enforce boundaries of interaction between applications in the container.
  • Some embodiments herein implement a set of mechanisms for dynamically building one or more containers for applications based on one or more attributes.
  • attributes may include one or more of: sources of applications, policy constraints, factors related to installation of an application, network connections, geo fencing considerations, time fencing considerations, etc.
  • the ability to dynamically produce containers gives greater flexibility in determining how information is shared amongst applications.
  • Figure 1 illustrates a device 102.
  • the device may be, for example, a mobile device such as a phone, tablet or other mobile device.
  • the device 102 may be a specimen selected from classes of other less mobile or immobile computing devices.
  • the device 104 has installed thereon a set of applications 104.
  • Embodiments can leverage multiple pieces of information to determine the containers in which an application can participate.
  • Figure 1 illustrates a set of such containers 118.
  • a device management agent 108 a centralized piece of software running on the device, is leveraged to retrieve application specific policy 116 from a service 112 and to enforce the application specific policy 116 to cause applications to be included in or excluded from certain containers.
  • the device management agent 108 may be implemented using Company Portal available from Microsoft Corporation of Redmond Washington.
  • the device management agent may also monitor software installation on the device 102.
  • access to a given container is gated by the device management agent 108 on policy, however, the policy is targeted at specific applications that may originate from the management service 112, (such as an Intune service available from Microsoft Corporation of Redmond, Washington) or the platform provided store (such as iTunes for iOS platform devices, Play Store for Android devices, Windows Store for Windows devices, etc.)
  • the management service 112 such as in the example illustrated through the device management agent 108 to retrieve its policy and container specific configuration.
  • This call to the management service 112 also enables applications that were on the device 102 prior to a given container enablement to participate in a new container.
  • Embodiments can also monitor the installation of new applications on the device 102 to determine if they should be granted access to a container. This allows applications that are added to the device 102 after an original container is defined to participate in the container if policy allows.
  • a container may be determined based on the publisher of an application, the application type, or other application characteristics.
  • a single application may be able to participate in multiple containers simultaneously.
  • alternate sources of information for container accessibility may be implemented.
  • embodiments may be able to restrict access to containers based on device location. This may be determined by GPS, cellular location, Wi-Fi location services, etc.
  • Embodiments may be able to restrict access based on network connection considerations. For example, contain accessibility may be restricted for certain application where restrictions require a known network, connection to a VPN, certain network encryption, etc.
  • multiple sources of information may be used to identify applications that can access a container.
  • Some embodiments may identify applications that should be included or excluded from a container based on defined policy.
  • some embodiments can allow applications which were on a device prior to a container solution being implemented to participate in the containers.
  • Embodiments may identify applications which should be included ⁇ excluded from the container based on installation source. Thus, for example, some applications may be excluded from certain containers if they are installed from the platform application repository where applications installed from a management service through a device management agent may be allowed for those same containers.
  • Embodiments may be able to remove previously included applications from a container when criteria change. As noted, this may be enabled by checks made by applications when they start to contact a management service to obtain policy and container specific configuration.
  • Embodiment may identify applications which should be included or excluded from the container based on device compliance. For example, factors such as operating systems, operating system versions, the device being password or pin protected, password protection being of a certain level (such as length and/or complexity), etc.
  • embodiments may allow applications to participate in multiple distinct containers.
  • the method 200 includes acts that may be practiced in a computing environment.
  • the method 200 includes acts for managing application interaction on a device.
  • the method 200 includes, for a set of applications on a device, based on certain conditions, determining a plurality of container groups (act 202).
  • Each container group defines a set of applications and a set of interaction parameters defining boundaries of interaction between the applications for the applications in a given container group.
  • applications 104 may be organized into different containers 118. Applications within a given container are allowed to interact with each other in certain ways as defined by the parameters for a given container. Interaction details will be discussed in more detail below.
  • the method 200 further includes identifying one or more changes in the certain conditions (act 204). Examples of various changes are illustrated below.
  • the method 200 further includes, as a result of identifying one or more changes in the certain conditions, changing membership in the container groups (act 206).
  • applications can be dynamically placed in different containers.
  • Various interaction boundaries may be enforced for applications in the same container.
  • the method 200 may be practiced where the boundaries of interactions between the applications comprise allowing sharing encryption for a dataset.
  • different applications can use a same encrypted dataset.
  • the applications may share encryption and decryption keys when they are in the same container.
  • the boundaries of interactions between the applications may include restricting access to certain data.
  • the boundaries of interactions between the applications may include restricting certain interactions.
  • cut/copy/paste functionality may be restricted between applications in the same container and/or from those applications to other applications.
  • Other boundaries may include boundaries on starting another application, checking for the existence of another application, reading documents or data from another application, sending data to another application, being started by another application, etc.
  • the method of claim may be practiced where the certain conditions comprise factors related to installation source for an application.
  • container selection for an application may be different when the application is installed from a general application store than when installed from an organization specific repository of applications.
  • the method 200 may be practiced where the change in certain conditions includes factors related to installation of an application. For example, a new application being installed may affect container decisions for other applications. This may be due to the installed application itself being included in one or more containers, restrictions of existing applications with respect to the installed application, or for other reasons. Similarly, the method 200 may be practiced where the change in certain conditions includes factors related to removal of an application. Similarly, the method 200 may be practiced where the change in certain conditions includes factors related to an application update.
  • the method 200 may be practiced where the change in certain conditions includes factors related to change in policy. Policy changes may affect how applications are assigned to containers.
  • the method 200 may be practiced where the change in certain conditions includes factors related to an application action.
  • the method 200 may be practiced where the change in certain conditions includes factors related to identity switching. Thus, for example, if a user switches accounts or otherwise switches their identity on a device, this may cause a change in how applications are assigned to containers.
  • the method 200 may be practiced where the change in certain conditions includes factors related to geo-fencing.
  • the physical location of the device may be determined (such as through GPS, cellular tower tracking, Wi-Fi location services, etc.) and the physical location may be used to determine how applications are assigned to containers.
  • the method 200 may be practiced where the change in certain conditions includes factors related to time fencing.
  • Container assignments may be changed based on time.
  • administrators may wish to restrict or permit application functionality. For example, an administrator may wish to allow access to certain data during working hours, but restrict the access outside of those hours.
  • the method 200 may be practiced where the change in certain conditions includes factors related to network changes.
  • certain network may be more secure than other networks.
  • a VPN may be used which will affect container assignments.
  • decisions may be based on the type of network (such as wireless, cellular, hard-wired), speed of the network, or other considerations.
  • Applications may be placed into containers, based on network considerations and/or changing network considerations, to allow or restrict data access.
  • the method 200 may be practiced where the change in certain conditions includes factors related to change in device compliance state.
  • a device may have its data encryption, password, or other state changed to a non-compliant state.
  • the method 200 may be practiced where an application can belong to a plurality of different containers.
  • the methods may be practiced by a computer system including one or more processors and computer-readable media such as computer memory.
  • the computer memory may store computer-executable instructions that when executed by one or more processors cause various functions to be performed, such as the acts recited in the embodiments.
  • Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware, as discussed in greater detail below.
  • Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures.
  • Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system.
  • Computer-readable media that store computer-executable instructions are physical storage media.
  • Computer-readable media that carry computer-executable instructions are transmission media.
  • embodiments of the invention can comprise at least two distinctly different kinds of computer-readable media: physical computer-readable storage media and transmission computer-readable media.
  • Physical computer-readable storage media includes RAM, ROM, EEPROM, CD-ROM or other optical disk storage (such as CDs, DVDs, etc), magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
  • a "network” is defined as one or more data links that enable the transport of electronic data between computer systems and/or modules and/or other electronic devices.
  • a network or another communications connection can include a network and/or data links which can be used to carry or desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Combinations of the above are also included within the scope of computer-readable media.
  • program code means in the form of computer-executable instructions or data structures can be transferred automatically from transmission computer-readable media to physical computer-readable storage media (or vice versa).
  • program code means in the form of computer-executable instructions or data structures received over a network or data link can be buffered in RAM within a network interface module (e.g., a "NIC"), and then eventually transferred to computer system RAM and/or to less volatile computer-readable physical storage media at a computer system.
  • NIC network interface module
  • computer-readable physical storage media can be included in computer system components that also (or even primarily) utilize transmission media.
  • Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.
  • the computer-executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, or even source code.
  • the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, pagers, routers, switches, and the like.
  • the invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks.
  • program modules may be located in both local and remote memory storage devices.
  • the functionality described herein can be performed, at least in part, by one or more hardware logic components.
  • illustrative types of hardware logic components include: Field-programmable Gate Arrays (FPGAs), Program-specific Integrated Circuits (ASICs), Program-specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), Complex Programmable Logic Devices (CPLDs), etc.

Description

    Background and Relevant Art
  • Handheld mobile computing devices have become ubiquitous. For example, many people have so-called smart phones or tablet computers. Such devices allow users to use cellular data systems or other network systems to access a broad spectrum of services. For example, using such devices, a user can access email, the Internet, on-line databases, etc. People who have personal smart phones (or other smart devices) may often want to use these personal devices to access company resources belonging to the companies by which they are employed.
  • Identifying and dealing with different classifications of data (e.g. personal versus corporate) on mobile devices can be difficult, particularly when the device is used in different user settings (e.g. business vs. personal use).
  • The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practiced.
  • Patent application document US2011161988 discloses an operating system having a kernel level and a user level, with the kernel level configured with a first container and a second container. The first container is assigned to a first namespace and the secomd container is assigned to a second namespace. Both the first and second namespaces are isolated from each other and at the same time in communication with at least one shared object. Communication across the containers is created through a socket in the namespace of the shared object of one or both containers
    • BRIEF SUMMARY
  • One embodiment illustrated herein includes a method that may be practiced in a computing environment. The method includes acts for managing application interaction on a device using dynamic containers. The method includes, for a set of applications on a device, based on certain conditions, determining a plurality of container groups. Each container group defines a set of applications and a set of interactions parameters defining boundaries of interactions between the applications for the applications in the container group. The method further includes identifying one or more changes in the certain conditions. As a result of identifying one or more changes in the certain conditions, the method includes changing membership in the container groups.
  • Another embodiment includes a device configured to manage application interaction. The device includes a plurality of applications. The device further includes a plurality of application containers. A given application container groups applications together and enforces boundaries of interaction between the applications in the given container. The device is configured to change a set of applications in a container based on changes in conditions.
  • This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
  • Additional features and advantages will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the teachings herein. Features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. Features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.
    The invention is defined by the independent claims. Dependent claims disclose additional embodiments.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In order to describe the manner in which the above-recited and other advantages and features can be obtained, a more particular description of the subject matter briefly described above will be rendered by reference to specific embodiments which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments and are not therefore to be considered limiting in scope, embodiments will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
    • Figure 1 illustrates a device having applications dynamically organized into containers; and
    • Figure 2 illustrates a method of managing application interaction on a device using dynamic containers.
    DETAILED DESCRIPTION
  • A containerization solution can be used to isolate different classifications of data from one another. Containerization is the process of segregating data on a device such that data that meets a certain set of qualifiers ends up in a particular set of containers. The goal of containerization is to apply a certain set of traits to a particular container, e.g. encryption or access restriction. In some embodiments, a container can enforce boundaries of interaction between applications in the container. Some embodiments herein implement a set of mechanisms for dynamically building one or more containers for applications based on one or more attributes. For example, attributes may include one or more of: sources of applications, policy constraints, factors related to installation of an application, network connections, geo fencing considerations, time fencing considerations, etc. The ability to dynamically produce containers gives greater flexibility in determining how information is shared amongst applications.
  • Referring now to Figure 1, an example embodiment is illustrated. Figure 1 illustrates a device 102. The device may be, for example, a mobile device such as a phone, tablet or other mobile device. However, the device 102 may be a specimen selected from classes of other less mobile or immobile computing devices. The device 104 has installed thereon a set of applications 104.
  • Embodiments can leverage multiple pieces of information to determine the containers in which an application can participate. Figure 1 illustrates a set of such containers 118. In the example illustrated in Figure 1, a device management agent 108, a centralized piece of software running on the device, is leveraged to retrieve application specific policy 116 from a service 112 and to enforce the application specific policy 116 to cause applications to be included in or excluded from certain containers. In some embodiments, the device management agent 108 may be implemented using Company Portal available from Microsoft Corporation of Redmond Washington.
  • The device management agent may also monitor software installation on the device 102. In some embodiments, access to a given container is gated by the device management agent 108 on policy, however, the policy is targeted at specific applications that may originate from the management service 112, (such as an Intune service available from Microsoft Corporation of Redmond, Washington) or the platform provided store (such as iTunes for iOS platform devices, Play Store for Android devices, Windows Store for Windows devices, etc.) When an application that is restriction enabled starts, it contacts the management service 112 (such as in the example illustrated through the device management agent 108) to retrieve its policy and container specific configuration. This call to the management service 112 also enables applications that were on the device 102 prior to a given container enablement to participate in a new container.
  • Embodiments can also monitor the installation of new applications on the device 102 to determine if they should be granted access to a container. This allows applications that are added to the device 102 after an original container is defined to participate in the container if policy allows.
  • Various additions or alternative may be implemented in various embodiments. For example, some embodiments may implement policy independent identification of applications for containers. For example, a container may be determined based on the publisher of an application, the application type, or other application characteristics.
  • In some embodiments, a single application may be able to participate in multiple containers simultaneously.
  • In some embodiments, alternate sources of information for container accessibility may be implemented. For example embodiments may be able to restrict access to containers based on device location. This may be determined by GPS, cellular location, Wi-Fi location services, etc. Embodiments may be able to restrict access based on network connection considerations. For example, contain accessibility may be restricted for certain application where restrictions require a known network, connection to a VPN, certain network encryption, etc.
  • In some embodiments multiple sources of information may be used to identify applications that can access a container.
  • Some embodiments may identify applications that should be included or excluded from a container based on defined policy.
  • As noted previously, some embodiments, can allow applications which were on a device prior to a container solution being implemented to participate in the containers.
  • Embodiments may identify applications which should be included\excluded from the container based on installation source. Thus, for example, some applications may be excluded from certain containers if they are installed from the platform application repository where applications installed from a management service through a device management agent may be allowed for those same containers.
  • Embodiments may be able to remove previously included applications from a container when criteria change. As noted, this may be enabled by checks made by applications when they start to contact a management service to obtain policy and container specific configuration.
  • Embodiment may identify applications which should be included or excluded from the container based on device compliance. For example, factors such as operating systems, operating system versions, the device being password or pin protected, password protection being of a certain level (such as length and/or complexity), etc.
  • As noted previously, embodiments may allow applications to participate in multiple distinct containers.
  • The following discussion now refers to a number of methods and method acts that may be performed. Although the method acts may be discussed in a certain order or illustrated in a flow chart as occurring in a particular order, no particular ordering is required unless specifically stated, or required because an act is dependent on another act being completed prior to the act being performed.
  • Referring now to Figure 2, a method 200 is illustrated. The method 200 includes acts that may be practiced in a computing environment. The method 200 includes acts for managing application interaction on a device. The method 200 includes, for a set of applications on a device, based on certain conditions, determining a plurality of container groups (act 202). Each container group defines a set of applications and a set of interaction parameters defining boundaries of interaction between the applications for the applications in a given container group. Thus, for example, as illustrated in Figure 1, applications 104 may be organized into different containers 118. Applications within a given container are allowed to interact with each other in certain ways as defined by the parameters for a given container. Interaction details will be discussed in more detail below.
  • The method 200 further includes identifying one or more changes in the certain conditions (act 204). Examples of various changes are illustrated below.
  • The method 200 further includes, as a result of identifying one or more changes in the certain conditions, changing membership in the container groups (act 206). Thus, applications can be dynamically placed in different containers.
  • Various interaction boundaries may be enforced for applications in the same container. For example, the method 200 may be practiced where the boundaries of interactions between the applications comprise allowing sharing encryption for a dataset. Thus for example, different applications can use a same encrypted dataset. The applications may share encryption and decryption keys when they are in the same container.
  • Alternatively or additionally, the boundaries of interactions between the applications may include restricting access to certain data.
  • Alternatively or additionally, the boundaries of interactions between the applications may include restricting certain interactions. For example, cut/copy/paste functionality may be restricted between applications in the same container and/or from those applications to other applications. Other boundaries may include boundaries on starting another application, checking for the existence of another application, reading documents or data from another application, sending data to another application, being started by another application, etc.
  • The method of claim may be practiced where the certain conditions comprise factors related to installation source for an application. For example, container selection for an application may be different when the application is installed from a general application store than when installed from an organization specific repository of applications.
  • The method 200 may be practiced where the change in certain conditions includes factors related to installation of an application. For example, a new application being installed may affect container decisions for other applications. This may be due to the installed application itself being included in one or more containers, restrictions of existing applications with respect to the installed application, or for other reasons. Similarly, the method 200 may be practiced where the change in certain conditions includes factors related to removal of an application. Similarly, the method 200 may be practiced where the change in certain conditions includes factors related to an application update.
  • The method 200 may be practiced where the change in certain conditions includes factors related to change in policy. Policy changes may affect how applications are assigned to containers.
  • The method 200 may be practiced where the change in certain conditions includes factors related to an application action.
  • The method 200 may be practiced where the change in certain conditions includes factors related to identity switching. Thus, for example, if a user switches accounts or otherwise switches their identity on a device, this may cause a change in how applications are assigned to containers.
  • The method 200 may be practiced where the change in certain conditions includes factors related to geo-fencing. Thus, for example, the physical location of the device may be determined (such as through GPS, cellular tower tracking, Wi-Fi location services, etc.) and the physical location may be used to determine how applications are assigned to containers. Similarly, the method 200 may be practiced where the change in certain conditions includes factors related to time fencing. Container assignments may be changed based on time. Thus, for example, at certain times of the day, administrators may wish to restrict or permit application functionality. For example, an administrator may wish to allow access to certain data during working hours, but restrict the access outside of those hours.
  • The method 200 may be practiced where the change in certain conditions includes factors related to network changes. Thus, for example, certain network may be more secure than other networks. Alternatively or additionally, a VPN may be used which will affect container assignments. Alternatively or additionally, decisions may be based on the type of network (such as wireless, cellular, hard-wired), speed of the network, or other considerations. Applications may be placed into containers, based on network considerations and/or changing network considerations, to allow or restrict data access.
  • The method 200 may be practiced where the change in certain conditions includes factors related to change in device compliance state. For example, a device may have its data encryption, password, or other state changed to a non-compliant state.
  • The method 200 may be practiced where an application can belong to a plurality of different containers.
  • Further, the methods may be practiced by a computer system including one or more processors and computer-readable media such as computer memory. In particular, the computer memory may store computer-executable instructions that when executed by one or more processors cause various functions to be performed, such as the acts recited in the embodiments.
  • Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware, as discussed in greater detail below. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system. Computer-readable media that store computer-executable instructions are physical storage media. Computer-readable media that carry computer-executable instructions are transmission media. Thus, by way of example, and not limitation, embodiments of the invention can comprise at least two distinctly different kinds of computer-readable media: physical computer-readable storage media and transmission computer-readable media.
  • Physical computer-readable storage media includes RAM, ROM, EEPROM, CD-ROM or other optical disk storage (such as CDs, DVDs, etc), magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
  • A "network" is defined as one or more data links that enable the transport of electronic data between computer systems and/or modules and/or other electronic devices. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a transmission medium. Transmissions media can include a network and/or data links which can be used to carry or desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Combinations of the above are also included within the scope of computer-readable media.
  • Further, upon reaching various computer system components, program code means in the form of computer-executable instructions or data structures can be transferred automatically from transmission computer-readable media to physical computer-readable storage media (or vice versa). For example, computer-executable instructions or data structures received over a network or data link can be buffered in RAM within a network interface module (e.g., a "NIC"), and then eventually transferred to computer system RAM and/or to less volatile computer-readable physical storage media at a computer system. Thus, computer-readable physical storage media can be included in computer system components that also (or even primarily) utilize transmission media.
  • Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. The computer-executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, or even source code. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the described features or acts described above. Rather, the described features and acts are disclosed as example forms of implementing the claims.
  • Those skilled in the art will appreciate that the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, pagers, routers, switches, and the like. The invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks. In a distributed system environment, program modules may be located in both local and remote memory storage devices.
  • Alternatively, or in addition, the functionality described herein can be performed, at least in part, by one or more hardware logic components. For example, and without limitation, illustrative types of hardware logic components that can be used include: Field-programmable Gate Arrays (FPGAs), Program-specific Integrated Circuits (ASICs), Program-specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), Complex Programmable Logic Devices (CPLDs), etc.
  • The present invention may be embodied in other specific forms without departing from its characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description.

Claims (4)

  1. A computer-implemented method of managing application interaction on a device using containers, the computer-implemented method being performed by one or more processors executing computer executable instructions for the computer-implemented method, and the computer-implemented method comprising:
    for a set of applications on a device, based on certain conditions, determining a plurality of container groups, where each container group defines a set of applications and a set of interactions parameters defining boundaries of interactions between the applications for the applications in the container group, wherein applications within a given container are allowed to interact with each other in certain ways as defined by the parameters for the given container;
    identifying one or more changes in the certain conditions; and
    as a result of identifying one or more changes in the certain conditions changing membership in the container groups, comprising dynamically placing applications in different containers;
    wherein the change in certain conditions comprise factors related to one or more of:
    installation of an application; removal of an application; change in policy; an application update; an application action; identity switching; geo-fencing; time fencing; network changes; or change in device compliance state and wherein the certain condition comprises factors related to installation source for an application;
    wherein the boundaries of interactions between the applications comprise at least one of allowing sharing encryption for a dataset, restricting access to certain data, and restricting certain interactions.
  2. The computer-implemented method of claim 1, wherein an application can belong to a plurality of different containers.
  3. The computer-implemented method of claim 1, wherein the executable instructions are contained on one or more computer-readable media from which the computer-executable instructions are downloaded for execution by the one or more processors.
  4. In a computing environment, a device configured to manage application interaction, the device comprising:
    a plurality of applications;
    a plurality of application containers, wherein a given application container groups applications together and enforces boundaries of interaction between the applications in the given container based on certain conditions, wherein each container group defines a set of applications and a set of interactions parameters that define the boundaries, and wherein applications within a given container are allowed to interact with each other in certain ways as defined by the parameters for the given container; and
    wherein the device is configured to change a set of applications in a container based on changes in conditions, comprising changing membership in the container groups, comprising dynamically placing applications in different containers;
    wherein the change in certain conditions comprise factors related to one or more of:
    installation of an application; removal of an application; change in policy; an application update; an application action; identity switching; geo-fencing; time fencing; network changes; or change in device compliance state and wherein the certain condition comprises factors related to installation source for an application;
    wherein the boundaries of interactions between the applications comprise at least one of allowing sharing encryption for a dataset, restricting access to certain data, and restricting certain interactions.
EP15775846.7A 2014-09-19 2015-09-17 Dynamic application containers Active EP3195123B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/490,900 US9824136B2 (en) 2014-09-19 2014-09-19 Dynamic application containers
PCT/US2015/050545 WO2016044504A1 (en) 2014-09-19 2015-09-17 Dynamic application containers

Publications (2)

Publication Number Publication Date
EP3195123A1 EP3195123A1 (en) 2017-07-26
EP3195123B1 true EP3195123B1 (en) 2020-11-25

Family

ID=54261074

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15775846.7A Active EP3195123B1 (en) 2014-09-19 2015-09-17 Dynamic application containers

Country Status (4)

Country Link
US (1) US9824136B2 (en)
EP (1) EP3195123B1 (en)
CN (1) CN106687928B (en)
WO (1) WO2016044504A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10061790B2 (en) 2015-07-07 2018-08-28 SwiftStack, Inc. Reconciler for a distributed storage system
US10650157B2 (en) 2017-04-30 2020-05-12 Microsoft Technology Licensing, Llc Securing virtual execution environments
US11093443B2 (en) 2017-06-29 2021-08-17 Sap Se Database-level container group management
US10984021B2 (en) 2017-06-29 2021-04-20 Sap Se Deployment of independent database artifact groups
US10776330B2 (en) 2017-06-29 2020-09-15 Sap Se Optimized re-deployment of database artifacts
US10674438B2 (en) 2017-06-29 2020-06-02 Sap Se Restricting access to external schemas from within a database level container by whitelisting allowed schemas
US10657114B2 (en) 2017-11-28 2020-05-19 Sap Se Reserving key specifications
US11048390B2 (en) * 2018-06-25 2021-06-29 MI Technical Solutions, Inc. Auto-reformatting of home screen graphical user interface depicting only administrator-approved applications

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7426637B2 (en) * 2003-05-21 2008-09-16 Music Public Broadcasting, Inc. Method and system for controlled media sharing in a network
US7584353B2 (en) * 2003-09-12 2009-09-01 Trimble Navigation Limited Preventing unauthorized distribution of media content within a global network
US7519814B2 (en) 2003-09-15 2009-04-14 Trigence Corp. System for containerization of application sets
US8069443B2 (en) * 2004-06-29 2011-11-29 Novell, Inc. Techniques for providing services and establishing processing environments
CA2624436A1 (en) * 2005-10-07 2007-04-19 Citrix Systems, Inc. Methods for selecting between a predetermined number of execution methods for an application program
US7702866B2 (en) * 2006-03-31 2010-04-20 International Business Machines Corporation Use of volume containers in replication and provisioning management
US20080046724A1 (en) 2006-07-25 2008-02-21 General Dynamics C4 System, Inc. Method for governing interaction between code within a code base
US20090222880A1 (en) * 2008-03-03 2009-09-03 Tresys Technology, Llc Configurable access control security for virtualization
US8381231B2 (en) * 2008-09-09 2013-02-19 Dell Products L.P. Deployment and management of virtual containers
CN101739425B (en) * 2008-11-04 2012-07-04 北大方正集团有限公司 Webpage integration method
US8769068B2 (en) * 2009-02-24 2014-07-01 Telcordia Technologies, Inc. System and method for policy based management for a high security MANET
US8849717B2 (en) * 2009-07-09 2014-09-30 Simon Cooper Methods and systems for upgrade and synchronization of securely installed applications on a computing device
US8656412B2 (en) 2009-12-25 2014-02-18 International Business Machines Corporation Pipeline across isolated computing environments
US8725951B2 (en) * 2010-04-12 2014-05-13 Sandisk Enterprise Ip Llc Efficient flash memory-based object store
US9354852B2 (en) * 2010-12-23 2016-05-31 Microsoft Technology Licensing, Llc Satisfying application dependencies
US9137262B2 (en) 2011-10-11 2015-09-15 Citrix Systems, Inc. Providing secure mobile device access to enterprise resources using application tunnels
US20140053234A1 (en) 2011-10-11 2014-02-20 Citrix Systems, Inc. Policy-Based Application Management
CN103248481B (en) * 2012-02-10 2016-04-06 工业和信息化部电信传输研究所 The method of the public authorization access control of a kind of opening API based on Applied Digital signature authentication
US20140007215A1 (en) 2012-06-15 2014-01-02 Lockheed Martin Corporation Mobile applications platform
CN103685175B (en) * 2012-09-11 2017-12-01 腾讯科技(深圳)有限公司 Application platform logs in method, proxy server and the system of state with Application share
US8910239B2 (en) * 2012-10-15 2014-12-09 Citrix Systems, Inc. Providing virtualized private network tunnels
RU2535175C2 (en) * 2012-12-25 2014-12-10 Закрытое акционерное общество "Лаборатория Касперского" System and method for detecting malware by creating isolated environment
CN103150165B (en) * 2013-03-07 2016-05-18 中国农业大学 For building frame system and the program construction method of outdoor data acquisition program
US20160057213A1 (en) * 2013-03-29 2016-02-25 Gary S. Greenbaum Coupling application data with network connectivity
US20160212012A1 (en) * 2013-08-30 2016-07-21 Clearpath Networks, Inc. System and method of network functions virtualization of network services within and across clouds
US9213830B2 (en) * 2013-12-12 2015-12-15 Microsoft Technology Licensing, Llc Managing applications in non-cooperative environments
US9645861B2 (en) * 2014-04-29 2017-05-09 Good Technology Holdings Limited Method and system for managing and presenting multiple application containers as a single logical container
US10110712B2 (en) * 2014-06-04 2018-10-23 Nicira, Inc. Efficient packet classification for dynamic containers
US20160139737A1 (en) * 2014-11-13 2016-05-19 Microsoft Technology Licensing, Llc Application containers and application container generator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
EP3195123A1 (en) 2017-07-26
US9824136B2 (en) 2017-11-21
US20160085841A1 (en) 2016-03-24
CN106687928A (en) 2017-05-17
WO2016044504A1 (en) 2016-03-24
CN106687928B (en) 2021-06-04

Similar Documents

Publication Publication Date Title
EP3195123B1 (en) Dynamic application containers
US9825996B2 (en) Rights management services integration with mobile device management
US9542247B2 (en) Content sharing between sandboxed apps
US11003718B2 (en) Systems and methods for enabling a global aggregated search, while allowing configurable client anonymity
US9246918B2 (en) Secure application leveraging of web filter proxy services
US20150118992A1 (en) System and method for creating and assigning a policy for a mobile communications device based on personal data
Timan et al. Data protection in the era of artificial intelligence: trends, existing solutions and recommendations for privacy-preserving technologies
EP3195174B1 (en) Conditional access to services based on device claims
US20180302346A1 (en) Techniques to configure bot flow
US20120290545A1 (en) Collection of intranet activity data
EP2941730B1 (en) Resource protection on un-trusted devices
US10540637B2 (en) Intelligent, context-based delivery of sensitive email content to mobile devices
US20210286890A1 (en) Systems and methods for dynamically applying information rights management policies to documents
US20140181909A1 (en) System and method for secured access management
CN114556867A (en) Authentication mechanism using location validation
US9935978B2 (en) Policy application for multi-identity apps
US20170061559A1 (en) Control Framework Fostering Compliant Integration of Data
Kleiner et al. Ensuring mobile device security and compliance at the workplace
EP3195217A1 (en) Selectively managing datasets
Nguyen et al. IBM MobileFirst in Action for mGovernment and Citizen Mobile Services
WO2015198336A2 (en) Remotely managed data loss prevention/protection in electronic devices
US11451550B2 (en) System for automated electronic data exfiltration path identification, prioritization, and remediation
Sahd A structured approach to the identification of the significant risks related to enterprise mobile solutions at a mobile technology component level
Pomeroy et al. Mobile OS security: Current situation and future directions
US20160087863A1 (en) Infering Management State via Secondary State

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170210

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20190402

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20200630

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602015062561

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1339080

Country of ref document: AT

Kind code of ref document: T

Effective date: 20201215

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1339080

Country of ref document: AT

Kind code of ref document: T

Effective date: 20201125

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210225

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210226

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210225

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602015062561

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

26N No opposition filed

Effective date: 20210826

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20210930

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210917

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210917

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210930

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210930

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210930

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20150917

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230523

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230823

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230822

Year of fee payment: 9

Ref country code: DE

Payment date: 20230822

Year of fee payment: 9